services:
  mealie:
    image: ghcr.io/mealie-recipes/mealie:v3.19.2@sha256:f68e959bf66f4f458893ea58facac71690fe6f2ac7a31466b5cecb41b4e99c02
    container_name: mealie
    restart: unless-stopped

    # OIDC: Authelia ueber Host-LAN-IP -> Traefik erreichbar (Container-DNS loest
    # auth.kaleschke.info sonst nicht; gleiches Muster wie Komodo. SNI bleibt der
    # Hostname, Let's-Encrypt-Cert validiert weiter.
    extra_hosts:
      - "auth.kaleschke.info:192.168.178.58"

    environment:
      TZ: Europe/Berlin
      ALLOW_SIGNUP: "false"
      PUID: "99"
      PGID: "100"

      DB_ENGINE: postgres
      POSTGRES_SERVER: mealie-postgres
      POSTGRES_DB: mealie
      POSTGRES_USER: mealie
      POSTGRES_PASSWORD: ${MEALIE_POSTGRES_PASSWORD}

      BASE_URL: https://mealie.kaleschke.info

      # --- Authelia OIDC SSO (additiv, 2026-06-06; lokaler Login bleibt) ---
      OIDC_AUTH_ENABLED: "true"
      OIDC_PROVIDER_NAME: Authelia
      OIDC_CONFIGURATION_URL: https://auth.kaleschke.info/.well-known/openid-configuration
      OIDC_CLIENT_ID: mealie
      OIDC_CLIENT_SECRET: ${MEALIE_OIDC_CLIENT_SECRET}
      OIDC_SIGNUP_ENABLED: "true"
      OIDC_AUTO_REDIRECT: "false"
      OIDC_REMEMBER_ME: "true"

    volumes:
      - /mnt/user/appdata/mealie/data:/app/data

    networks:
      - frontend_net
      - mealie_internal

    security_opt:
      - no-new-privileges:true

    labels:
      - traefik.enable=true
      - traefik.docker.network=frontend_net
      - traefik.http.routers.mealie.rule=Host(`mealie.kaleschke.info`)
      - traefik.http.routers.mealie.entrypoints=websecure
      - traefik.http.routers.mealie.tls=true
      - traefik.http.routers.mealie.tls.certresolver=le
      - traefik.http.services.mealie.loadbalancer.server.port=9000

  mealie-postgres:
    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
    container_name: mealie-postgres
    restart: unless-stopped

    environment:
      TZ: Europe/Berlin
      POSTGRES_USER: mealie
      POSTGRES_DB: mealie
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
      PGDATA: /var/lib/postgresql/18/docker

    volumes:
      - /mnt/user/appdata/mealie/postgres18:/var/lib/postgresql
      - /mnt/user/appdata/secrets/mealie_postgres_password.txt:/run/secrets/postgres_password:ro

    networks:
      - mealie_internal

    security_opt:
      - no-new-privileges:true

networks:
  frontend_net:
    external: true

  mealie_internal:
    driver: bridge
    internal: true